[TASK] Update vulnerable build dependencies

Update (most) vulnerable dependencies/packages found by `npm audit fix --force --dry-run`. Notes redarding package changes: * The outdated grunt-postcss plugin is replaced by a (maintained) fork for compatibility with newer grunt versions. * karma is updated to v6 and pulls in @types/node which conflicts with TypeScript type definitions by @types/requirejs. Therefore 3rd party type declarations from packages (@types/*) are now explicitly enabled in tsconfig.json – note that there is no other way to exclude from typeRoots: microsoft/TypeScript#18588 * grunt-lintspaces and grunt-contrib-imagemin are replaced as these packages have been not been updated to not depend on vulnerabe dependencies, while grunt-lintspaces and grunt-contrib-imagemin would cause downgrades to older version when running `npm audit fix --force` (because only the older versions do not depend on vulnerable software). * (grunt-contrib-)imagemin is replaced by squoosh (by google) as a) imagemin dependencies ("bin-build" > "download") rely on vulnerable versions of "got". Neither of these packages is currently updated,see kevva/download#224 b) imagemin is unmaintained: imagemin/imagemin#385 and suggests squoosh as replacement * stylefmt is replaced by a maintained fork. There is one remaining packages that pulls in a vulnerability alerts: * jquery-ui is marked as vulnerable (severity: high), but worked on in a separate patch #96497. (We don't actually use the vulnerable library parts though). Vulnerability report before this patch: 74 vulnerabilities (1 low, 30 moderate, 38 high, 5 critical) Vulnerability report after this patch: 1 high severity vulnerability (this is jquery-ui) Commands executed: # Supposed to be non breaking, but broke grunt-css npm audit fix npm remove grunt-postcss npm install @lodder/grunt-postcss # Preparation for `npm audit fix --force` (breaking changes) npm install grunt@^1.5 npm install grunt-lintspaces@^0.10.0 npm remove grunt-lintspaces npm install --save-dev lintspaces-cli npm remove grunt-contrib-imagemin npm install --save-dev npm remove stylefmt npm install --save-dev @ronilaukkarinen/stylefmt npm audit fix --force Releases: main Resolves: #98198 Change-Id: I09df87fe131a499790e6c5f95f1c51e9216b71c2 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/75539 Tested-by: core-ci <typo3@b13.com> Tested-by: Georg Ringer <georg.ringer@gmail.com> Tested-by: Stefan Bürk <stefan@buerk.tech> Tested-by: Benjamin Franzke <bfr@qbus.de> Reviewed-by: Georg Ringer <georg.ringer@gmail.com> Reviewed-by: Stefan Bürk <stefan@buerk.tech> Reviewed-by: Benjamin Franzke <bfr@qbus.de>
TYPO3 · Aug 25, 2022 · 0787c22 · 0787c22
1 parent e07a54a
commit 0787c22
Show file tree

Hide file tree

Showing 507 changed files with 6,113 additions and 14,247 deletions.
diff --git a/Build/Gruntfile.js b/Build/Gruntfile.js
@@ -22,7 +22,8 @@ module.exports = function (grunt) {
   grunt.registerMultiTask('formatsass', 'Grunt task for stylefmt', function () {
     var options = this.options(),
       done = this.async(),
-      stylefmt = require('stylefmt'),
+      stylefmt = require('@ronilaukkarinen/stylefmt'),
+      postcss = require('postcss'),
       scss = require('postcss-scss'),
       files = this.filesSrc.filter(function (file) {
         return grunt.file.isFile(file);
@@ -35,7 +36,7 @@ module.exports = function (grunt) {
           from: filepath,
           syntax: scss
         };
-        stylefmt.process(content, settings).then(function (result) {
+        postcss([stylefmt]).process(content, settings).then(function (result) {
           grunt.file.write(file.dest, result.css);
           grunt.log.success('Source file "' + filepath + '" was processed.');
           counter++;
@@ -185,6 +186,8 @@ module.exports = function (grunt) {
     },
     exec: {
       ts: ((process.platform === 'win32') ? 'node_modules\\.bin\\tsc.cmd' : './node_modules/.bin/tsc') + ' --project tsconfig.json',
+      lintspaces: ((process.platform === 'win32') ? 'node_modules\\.bin\\lintspaces.cmd' : './node_modules/.bin/lintspaces') + ' --editorconfig ../.editorconfig "../typo3/sysext/*/Resources/Private/**/*.html"',
+      squoosh: ((process.platform === 'win32') ? 'node_modules\\.bin\\squoosh-cli.cmd' : './node_modules/.bin/squoosh-cli') + ' --oxipng auto --output-dir ../typo3/sysext/core/Resources/Public/Icons/Flags/ ../typo3/sysext/core/Resources/Public/Icons/Flags/*.png' + ((process.platform === 'win32') ? '' : ' 2>&1'),
       'npm-install': 'npm install'
     },
     eslint: {
@@ -729,31 +732,9 @@ module.exports = function (grunt) {
         ]
       }
     },
-    imagemin: {
-      flags: {
-        files: [
-          {
-            cwd: '<%= paths.sysext %>core/Resources/Public/Icons/Flags',
-            src: ['**/*.{png,jpg,gif}'],
-            dest: '<%= paths.sysext %>core/Resources/Public/Icons/Flags',
-            expand: true
-          }
-        ]
-      }
-    },
-    lintspaces: {
-      html: {
-        src: [
-          '<%= paths.sysext %>*/Resources/Private/**/*.html'
-        ],
-        options: {
-          editorconfig: '../.editorconfig'
-        }
-      }
-    },
     concurrent: {
       npmcopy: ['npmcopy:ckeditor', 'npmcopy:ckeditor_externalplugins', 'npmcopy:dashboard', 'npmcopy:umdToEs6', 'npmcopy:jqueryUi', 'npmcopy:install', 'npmcopy:all'],
-      lint: ['eslint', 'stylelint', 'lintspaces'],
+      lint: ['eslint', 'stylelint', 'exec:lintspaces'],
       compile_assets: ['scripts', 'css'],
       minify_assets: ['terser:thirdparty', 'terser:t3editor'],
       copy_static: ['copy:core_icons', 'copy:install_icons', 'copy:module_icons', 'copy:extension_icons', 'copy:fonts', 'copy:t3editor'],
@@ -767,13 +748,11 @@ module.exports = function (grunt) {
   grunt.loadNpmTasks('grunt-rollup');
   grunt.loadNpmTasks('grunt-npmcopy');
   grunt.loadNpmTasks('grunt-terser');
-  grunt.loadNpmTasks('grunt-postcss');
+  grunt.loadNpmTasks('@lodder/grunt-postcss');
   grunt.loadNpmTasks('grunt-contrib-copy');
   grunt.loadNpmTasks('grunt-exec');
   grunt.loadNpmTasks('grunt-eslint');
   grunt.loadNpmTasks('grunt-stylelint');
-  grunt.loadNpmTasks('grunt-lintspaces');
-  grunt.loadNpmTasks('grunt-contrib-imagemin');
   grunt.loadNpmTasks('grunt-newer');
   grunt.loadNpmTasks('grunt-concurrent');
 
@@ -879,7 +858,7 @@ module.exports = function (grunt) {
    * - minifies svg files
    * - compiles TypeScript files
    */
-  grunt.registerTask('default', ['clear-build', 'update', 'concurrent:copy_static', 'concurrent:compile_assets', 'concurrent:minify_assets', 'imagemin']);
+  grunt.registerTask('default', ['clear-build', 'update', 'concurrent:copy_static', 'concurrent:compile_assets', 'concurrent:minify_assets', 'exec:squoosh']);
 
   /**
    * grunt build task (legacy, for those used to it). Use `grunt default` instead.